cocoon-dev mailing list archives

Hello Andreas,
This is very interesting!
But I'm not sure to understand:
Is your organization tree stored in a LDAP repository?
Your four groups of users are similar to roles?
You store the role information inside the InetOrgPerson class. Is it a persistence class?
Where do you use Cocoon in your authentication process?
Thanks for your help.
Sylvain
-----Message d'origine-----
De: Andreas Hochsteger [mailto:e9625392@student.tuwien.ac.at]
Date: mercredi, 3. septembre 2003 07:12
À: dev@cocoon.apache.org
Objet: Re: Cocoon 2.1 Authentication Bug? *Please* Help
Hi!
I'm no LDAP expert, but I can tell you how we are going to do
authentication and authorization:
We have 4 groups of users (Simple, Extended, Member, Employee) which are
hierarchically organized this way:
+-Simple
+-User1
+-...
+-Extended
+-User2
+-...
+-Member
+-User3
+-...
+-Employee
+-User4
+-...
They are organized this way, because the everyone can be treated as a
simple user (has just username, password and email address), whereas
extended users, members and employees can be treated as extended users
(validated additional data is available) and so on ...
This can be achieved by a subtree search.
We use the InetOrgPerson class and store the role information in the
attribute 'groupOfUniqueNames'.
We store default roles (which are application dependent) for every group
but can attach additional roles to certain users.
I don't know if it will really work this way, but that's how we planned
it to do ;-)
Perhaps it's will be of help for you.
BTW we use LDAP *only* for authorization and authentication. All
additional user data (postal address, profiles, ...) is stored in a
mysql database.
Bye,
Andreas
Carsten Ziegeler wrote:
> Hi,
>
> if you have different users with different roles, then I would
> store the information with your users in the LDAP.
> However, I don't know LDAP, so perhaps someone else can help here?
>
> Carsten
>
> Sylvain.Thevoz@swisscom.com wrote:
>
>>Hello,
>>
>>Yes, I don't have roles since I'm using the LDAP authentication,
>>all users are "Admin" at this moment.
>>
>>Do you think to create a static list in a file or database and
>>check which role has the user?
>>
>>I have thought about creating a static list but my problem is
>>that I have to enter ~1000 users in this list (I have about
>>20'000 users but only ~1000 have special roles). The solution is
>>maybe to use the groups defined in the LDAP repository, you would
>>have ~10 groups instead of ~1000 users in the static list. But in
>>you have groups, you have to use a LDAP query to know if the
>>authenticated user is in a group. It seems a bit complicated, no?
>>
>>What do you think about the best practise?
>>
>>Thanks
>>Regards
>>Sylvain
>>
>>
>>-----Message d'origine-----
>>De: Carsten Ziegeler [mailto:cziegeler@s-und-n.de]
>>Date: lundi, 1. septembre 2003 16:28
>>À: dev@cocoon.apache.org
>>Objet: RE: Cocoon 2.1 Authentication Bug? *Please* Help
>>
>>
>>Sylvain.Thevoz@swisscom.com [mailto:Sylvain.Thevoz@swisscom.com] wrote:
>>
>>>OK, I understand the mechanism.
>>>
>>>About the roles, since I used LDAP for the authentication I have
>>>a problem how to define the roles.
>>>By default the authentication uses the file sunrise-user.xml and
>>>the role is defined for each user inside this file.
>>>With LDAP authentication I retrieve the users from a LDAP
>>>repository and the role isn't defined in this repository.
>>>Have you an idea how I could define the role for each users?
>>>
>>
>>I guess from the above that you don't have roles. So, I would give
>>each user a default role and create a static list of roles with
>>this one role.
>>
>>HTH
>>Carsten
>>
>
>
>